11

Commercial Crime International

December 2011 More information online at www.icc-ccs.org

Cybercrime

Online Social Networks – Launch pads for Malware

The advent of social networkshas turned the online world

into a virtual society. And

whilst social networks serveas seamless communication

channels, they are also an ideallaunch pad for malware

infections. There has been atremendous increase in the

dissemination of malwareinfections through social net-works. But the security and

privacy mechanisms of socialnetworks have proven insuffi-

cient to prevent exploitation.

Aditya Sood and Richard

Enbody explain the dangers.

Social networks hold a plethora of personal information on the users that

form the network. Individual connections between users collectively form

a web of connections. To build each link between users an implicit trust

is required between the two users and implicitly across the entire network.

Any information provided by an individual user through chained connec-

tions becomes a part of the full network. If an attacker is able to exploit

one user in the social network, they have the potential to be able to

push malicious content (such as malicious URL’s) into the network.

The connectivity of the network enables the spread of the exploitation.

That is, the attacker exploits the weakest link in the chain. This exploita-

tion process is aided by the inability of users (and their stored objects)

to determine the legitimacy of content flowing through the social network.

The infection process begins with the exploitation of human ignorance

and curiosity followed by spreading of the infection through the trust

upon which the network is based.

In order to start the exploitation process, an attacker can pick any issue

that affects human emotions to drive the user in a social network to follow

the path generated by the attacker. Topics such as weather calamities,

political campaigns, national affairs, medical outbreaks and financial

transactions are used for initiating infections. Phishing and spamming are

used extensively for spreading messages on these topics with malicious

intent. Basically, it is a trapping mechanism used by attackers to infect

an entire online social network.

Exploit Mechanisms – The Art of Infection

Since social network exploitation begins by exploiting an individual user’s

trust, curiosity, or ignorance common attack strategies have emerged:

One of the simplest infection techniques is the injection of malicious

URLs into a user’s message wall. Since it can be difficult to differentiate

between the legitimate URLs and illegitimate ones, even a careful user

can be tempted to click on the link. Unfortunately for the user, clicking

the hyperlink can result in automatic download of malware from a mali-

cious domain through the browser.

Browser Exploit Packs (BEP) hold a number of browser-based

exploits that are bundled together to customise the response to a victim.

When a user visits a malicious domain, the BEP fingerprints the browser

version and the related environment of the user machine. Based on this

information, a suitable exploit is served to the user which exploits the

integrity of that particular browser.

Drive-by-Download attacks are triggered by visiting a malicious

page. They exploit browser vulnerabilities in plugins and built-in compo-

nents. Successful exploitation of the vulnerability results in the execution

of shell code that in turn downloads the malware into the system. A

variation of the Drive-by-Download attack is the Drive-by-Cache attack

that can exploit browser cache functionality in order to execute malware.

Malicious advertisements (malvertisements) are yet another tech-

nique to spread malware infections through online social networks. When

an attacker injects the malicious link in a user message board, it is linked

to a third party website which has malicious advertisements embedded

in it. These advertisements are further linked to malicious JavaScripts

that are retrieved by the browser, which executes the malicious content

in the context of running browser with the user’s privileges.

The biggest problem with the online social networks is that they do not

have sufficient built-in protection against malware. For example, current

continued on page 12/

Aditya K SoodAditya K SoodAditya K SoodAditya K SoodAditya K Sood is a senior security

researcher and PhD candidate at

Michigan State University. He is also

a founder of SecNiche Security Labs,

an independent arena for cutting

edge computer security research.

RicharRicharRicharRicharRichard J. Enbodyd J. Enbodyd J. Enbodyd J. Enbodyd J. Enbody, Ph.D, is associ-

ate professor in the Department of

Computer Science and Engineering

at Michigan State University (USA).

Published monthly by Published monthly by Published monthly by Published monthly by Published monthly by Commercial Crime Services,Commercial Crime Services,Commercial Crime Services,Commercial Crime Services,Commercial Crime Services,Cinnabar Wharf, 26 Wapping High Street, London E1W 1NG, UK.Cinnabar Wharf, 26 Wapping High Street, London E1W 1NG, UK.Cinnabar Wharf, 26 Wapping High Street, London E1W 1NG, UK.Cinnabar Wharf, 26 Wapping High Street, London E1W 1NG, UK.Cinnabar Wharf, 26 Wapping High Street, London E1W 1NG, UK.

TTTTTel: +44 (0) 20 7423 6960 Fax: +44 (0) 20 7423 6961el: +44 (0) 20 7423 6960 Fax: +44 (0) 20 7423 6961el: +44 (0) 20 7423 6960 Fax: +44 (0) 20 7423 6961el: +44 (0) 20 7423 6960 Fax: +44 (0) 20 7423 6961el: +44 (0) 20 7423 6960 Fax: +44 (0) 20 7423 6961

Email: ccs@icc-ccs.org WEmail: ccs@icc-ccs.org WEmail: ccs@icc-ccs.org WEmail: ccs@icc-ccs.org WEmail: ccs@icc-ccs.org Website: wwwebsite: wwwebsite: wwwebsite: wwwebsite: www.icc-ccs.org.icc-ccs.org.icc-ccs.org.icc-ccs.org.icc-ccs.org

Editor: Andy Holder Email ajholder@gmail.comEditor: Andy Holder Email ajholder@gmail.comEditor: Andy Holder Email ajholder@gmail.comEditor: Andy Holder Email ajholder@gmail.comEditor: Andy Holder Email ajholder@gmail.com

ISSN 1012-2710ISSN 1012-2710ISSN 1012-2710ISSN 1012-2710ISSN 1012-2710No part of this publication may be reproduced, stored in a retrieval system, or translated in any form or by

any means, electronic, mechanical, photocopying, recording, or otherwise without the prior permission of

the publishers.

While every effort has been made to check the information given in this publication, the authors, editors,

and publishers cannot accept any responsibility for any loss or damage whatsoever arising out of, or

caused by the use of, such information. Opinions expressed in Commercial Crime International are those of

the individual authors and not necessarily those of the publisher.

Copyright 2011. All rights reserved.

Cybercrime

EDF fined for hacking Greenpeace

social networks do not scan the

URL’s and embedded content

coming from third party servers

such as Content Delivery Networks.

Therefore, there is no mechanism

to detect the authenticity of URL’s

that are passed as message con-

tent among the user objects in the

online social networks. In addition, it

is easy to upload malvertisements,

and social networks fail to raise

any warning. Online social networks

are not harnessing the power of

Safe Browsing API’s from Google

or similar services to instantiate a

verification procedure before post-

ing a URL back to a user profile.

Lack of such basic protections is

a key factor in making the social

networks vulnerable to exploitation.

Finally, many social network users

are not knowledgeable enough

to differentiate between real and

malicious entities. Ignorance not

only results in exploitation, but also

greatly impacts the overall security

of online social networks. Because

of the high connectivity and need

for trust in a social network users

are particularly dependent on the

built-in security features of online

social networks, but the security

features are not tough enough

to thwart many malware attacks.

Conclusion

Robust security and privacy mecha-

nisms are indispensable for safe

online social networking. Built-in

security is necessary because

attackers exploit the trust, curiosity

and ignorance to garner maximum

profit. User awareness regarding

security concerns is important but

can only spread gradually, so social

networks should be proactive and

develop more sophisticated and

stringent mechanisms to thwart

malware infections. Safe and secure

transmission of the information and

robust user’s privacy should be the

paramount concern of the social

networking companies.

from page 11from page 11from page 11from page 11from page 11

EDF, the French energy firm,

was recently fined Euro 1.5 million

by a Paris court for spying on

Greenpeace. It must also pay

Greenpeace Euro 500,000 in dam-

ages. Two EDF employees were

jailed, along with the head of the

company they hired to hack into the

environmental charity’s computers.

EDF was charged with complicity

in concealing stolen documents and

complicity to intrude on a computer

network. It was claimed the com-

pany had organised surveillance

not only of Greenpeace in France,

but broadly across Europe since

2004. And it was stated that in

2006, EDF hired a detective agency,

Kargus Consultants, run by a former

member of France’s secret services,

to find out about Greenpeace

France’s intentions and its plan

to block new nuclear plants in the

UK. The agency allegedly hacked

the computer of Yannick Jadot,

Greenpeace’s then campaigns

director, taking 1,400 documents.

At the trial, EDF said it had been

victim of overzealous efforts, and

had been unaware anyone would

hack a computer. But Greenpeace

UK’s executive director, John

Sauven, said: “The evidence

presented at the trial showed that

the espionage undertaken by EDF

in its efforts to discredit Greenpeace

was both extensive and totally

illegal. The company should now

give a full account of the spying

operation it mounted.”

Whilst anti-nuclear activists are

reportedly furious at what EDF did,

a security expert has commented

that the only real surprise is that

this sort of trojan-assisted industrial

espionage has not reached the

courts before.

Philip Lieberman said that the case

is notable because the saga started

more than five years ago. And, he

wondered, how many other cases of

trojan-assisted industrial espionage

have been carried out in recent

years. What does this case tell us?

Quite simply that trojan-assisted

infections are almost certainly an

integral part of the modern-day

private detective’s IT arsenal when

conducting industrial espionage,”

he said. And we should ask whether

terrorists are using the same tech-

niques to assist their campaigns.